1. Field of the Invention
The present invention relates to an IP connection processing device and, more particularly, to an IP connection processing device that, upon completion of user authentication, initiates a connection to an IP network in a designated area constructed by a wireless LAN or the like.
2. Description of the Related Art
Wireless LAN is one of the technologies that have been attracting attention, in recent years, due to the explosive proliferation of the Internet. Originally, the wireless LAN was developed as a technology for constructing a LAN environment in offices by using wireless connections. In recent years, however, a wireless LAN service called the “hot spot service” has been spreading which offers customers high-speed Internet access from public spaces such as railway stations and coffee shops by installing wireless LANs in such locations.
The packet communication speed of the wireless LAN is 11 Mbps based on the IEEE 802.11b specification. This is overwhelmingly faster than the maximum speed of 28.8 Kbps of the second generation mobile communication system PDC-P or the maximum speed of 384 Kbps of the third generation mobile communication system IMT-2000 (W-CDMA communication system).
Further, the hot spot service using wireless LANs employs flat fee billing plans, and thus offers cost advantages over the above-mentioned conventional systems which employ usage-based billing plans. Under the current circumstances, the hot spot service can only be used in limited areas, but this problem will be solved soon as the service areas are expanded to cover large areas where people gather.
The current hot spot service is based on the Internet Protocol version 4 (IPv4). However, with rapidly increasing numbers of terminals on IP networks in recent years, there is a concern that the IPv4 address space will soon be exhausted, and it is expected that the hot spot service will also transfer to the Internet Protocol version 6 (IPv6) that provides a greatly expanded address space.
FIG. 1 is a diagram showing one example of a network constructed using a wireless LAN and IPv6. The following description is given by taking the hot spot service as an example.
In FIG. 1, an IP terminal 10 is a notebook PC, PDA, or the like that has a capability to communicate with the wireless LAN. The IP terminal 10, for example, on the move, is connected to a wireless LAN access point (AP) 21 installed at a railway station or a coffee shop.
The access point 21 covers a hot spot area 20 within a prescribed range from the access point 21, and provides services, such as high-speed Internet connection service and an information service limited to that area, to the IP terminal 10 located within the hot spot area 20.
The access point 21 is connected to an access router (AR) 31, to which it is subservient, for connection to the Internet 40 via an operator network 30. The access router 31 is installed at a designated location, for example, within a station or a department store, or at an Internet service provider (ISP), a telephone switching office, or the like. The operator network 30 is constructed by interconnecting a plurality of such access routers.
An authentication server 32, which is installed at a particular location within the operator network 30, centrally processes user authentication of every IP terminal 10 located in each hot spot area 20. The IP terminal 10 whose user identity is authenticated by the authentication server 32 is permitted to access the Internet 40 and to perform communications such as Internet telephone (Voice over IP) with a corresponding node 41 by utilizing the high speed capability of the wireless LAN.
FIG. 2 is a diagram showing one example of an IPv6 connection sequence on the wireless LAN. FIG. 3 shows router advertisement message format.
In FIG. 2, when the IP terminal 10 moves into the hot spot area 20, it detects radio waves being radiated from the wireless LAN access point 21 (S101). Thereupon, the IP terminal 10 initiates connection processing (association) with the access point 21 (S102).
When a connection request is received from the IP terminal 10, the access point 21 requests the authentication server (RADIUS server) 32 to process the user authentication of the IP terminal 10 (S103). When the user authentication is successfully done, the IP terminal 10 is notified accordingly (S104) and, at the same time, the access point 21 opens its port and allows the IP terminal 10 to access the IP network (S105).
Thereafter, when the IP terminal 10 receives a router advertisement message that the access router 31 is broadcasting periodically (S106) (refer, for example, to Document 1), the IP terminal 10 generates its own IP address to be used within the hot spot area 20 where it is located, by using the route prefix contained in the user prefix field (Prefix) of the router advertisement message shown in FIG. 3 (S107) (refer, for example, to Document 2).
Using this IP address, the IP terminal 10 initiates communication based on IPv6 with the correspondent node 41 via the IP network including the Internet 40, etc. (S108). IPv6 is defined by its standardization body IETF (Internet Engineering Task Force) (refer, for example, to Document 3).
The predominantly used wireless LAN authentication method is based on IEEE 802.1x defined by its standardization body IEEE (Institute of Electronics and Electrical Engineers). The standard includes authentication mechanisms such as EAP-TLS (Extensible Authentication Protocol—Transport Level Security), EAP-TTLS (Tunneled TLS), PEAP-TLS (Protected EAP protocol), EAP-MD5, or the like.
The authentication based on IEEE 802.1x is implemented by three nodes, i) node (IP terminal) that requires authentication for network access, ii) node (AP) that controls the network access at packet level, and iii) node (authentication server) that permits the network access. The above-described configuration is based on such node configuration.
FIG. 4 shows one example of a prior art configuration for IP connection processing in the IP terminal 10.
In FIG. 4, an interface section 11 performs wireless communication with the access point (AP) 21 by using a prescribed wireless communication scheme. A kernel section 12 shows the kernel section of a conventional IPv6-compliant operating system (OS), and contains an authentication processing section 14 and an IP processing section 13.
The authentication processing section 14 performs user authentication processing with the authentication server 32 via the access point (AP) 21. The IP processing section 13, upon receiving the first router advertisement message after successful completion of the user authentication, generates its own IP address by using the route prefix contained in the message. The sections 13 and 14 each operate individually in accordance with the connection sequence shown in FIG. 2.
In wireless LAN environments that provide hot spot services, there is an increasing need to support handover (switching from one access point to another) which occurs when the user moves around. According to the above-described wireless LAN, the communication session is not disconnected when effecting switching from one access point to another within the same IP subnet (served by the same access router).
However, in the case of access point switching across different IP subnets (served by different access routers), the communication session is disconnected and the IP connection processing has to be initiated once again, because the IP address of the IP terminal 10 changes. As a result, Mobile IP technology that can achieve mobility that does not involve communication disconnections in a wireless LAN environment becomes important. Mobile IP is a mechanism for managing mobility at IP level, and has the advantage that the communication session will not be disconnected even if the IP address changes, as will be described in the following example.
FIG. 5 is a diagram showing one example of another network constructed using a wireless LAN and IPv6. The following description is given by taking Mobile IPv6 as an example.
The only differences between FIG. 5 and the previously given FIG. 1 are that the IP terminal 10 in FIG. 1 is referred to as a mobile node (MN) 10′ in FIG. 5, and that a home agent (HA) 42 is connected to the Internet 40 in FIG. 5. Though differently named, the IP terminal 10 and the mobile node (MN) 10′ actually have the same functions.
The home agent 42 manages the location (area) of the mobile node 10′. For this purpose, the mobile node 10′ has a permanent IP address (HoA: Home Address) unique to it and an IP address (CoA: Care of Address) which is generated when the mobile node 10′ has moved into an area served by another access router (AR) 31.
The mobile node 10′ notifies the generated IP address (CoA) to the home agent 42 which then updates the current IP address (CoA) to the IP address (CoA) thus notified. By so doing, communication with any destination mobile node 10′ is performed by way of the home agent 42 by using the permanent IP address (HoA) of that destination mobile node 10′ regardless of its current location.
The home agent 42 that received data with the permanent IP address (HoA) attached thereto forwards the data through tunneling by attaching the IP address (CoA) of the area where the destination mobile node 10′ is currently located. Similarly, the destination mobile node 10′ performs communication with the originating mobile node 10′ by way of the home agent 42 by using the permanent IP address (HoA) of the originating mobile node 10′.
FIG. 6 is a diagram showing one example of a Mobile IPv6 handover sequence in the wireless LAN environment.
In FIG. 6, the mobile node 10′ is communicating with a corresponding node (CN) 41′ by way of the home agent 42 in the area served by the current access point (current AP) 21 (S201). Next, the mobile node 10′ moves to a new area and detects radio waves being emitted from another access point (new AP) 21′ (S202 and 203). Thereupon, the mobile node 10′ initiates connection processing (association) with the new access point 21′ (S204).
The user authentication processing carried out in the subsequent steps S205 to 209 is the same as that carried out in the previously described steps S103 to 107 in FIG. 2. Next, the mobile node 10′ notifies the home agent 42 of the IP address (CoA) of its own generating by sending a Binding_Update message (S210). In response, the home agent 42 updates the current IP address (CoA) to the new one, and notifies the mobile node 10′ of the completion of the updating by returning a Binding_Acknowledgment message (S211).
The mobile node 10′ then resumes communication in the area served by the new access point 21′ and continues communication with the correspondent node (CN) 41′ by way of the home agent 42 (S212). As the home agent 42 centrally performs updating management and switching control as described above, the communication session is not disconnected even when the IP address is changed.
The Mobile IP standardized by IETF RFC 2002 is based on IPv4 (refer, for example, Document 4) but, as the basic operation of the Mobile IPv6 is the same as that of the Internet Draft Mobile IP based on IPv6, the above example has been described for the case of the Mobile IPv6.
Document 1: Internet<www.ietf.org/rfc/rfc2461.text>
Document 2: Internet<www.ietf.org/rfc/rfc2462.text>
Document 3: Internet<www.ietf.org/rfc/rfc2460.text>
Document 4: Internet<www.ietf.org/rfc/rfc3344.text>
The network configuration using the wireless LAN and IPv6 shown in FIG. 1 has had the problem that it takes much time to process IPv6 connections in the wireless LAN environment that requires user authentication. The reason is that, as shown in the IPv6 connection sequence of FIG. 2, even when the user authentication is done successfully, and is ready to initiate communication (S105), the IP connection processing is not initiated until the router advertisement message is received from the access router 31 (S106 to 108).
RFC 2461 “Neighbour Discovery for IPv6” standardized by the IETF defines the time interval at which the router broadcasts the router advertisement message. According to the definition, the default interval is once in every 198 seconds, and the minimum interval is once in 3 seconds. This means that, depending on the transmission timing of the router advertisement message, there is a delay of several seconds to about 3 minutes from the completion of the user authentication to the reception of the router advertisement message.
This has resulted in the problem that, despite successful completion of the user authentication, IP communication using browser or communication applications on the IP terminal 10 cannot be initiated. This problem has been attributed not only to the delay in receiving the router advertisement message from the network side, but also to the IP connection processing configuration of the prior art IP terminal 10.
As explained for the prior art configuration shown in FIG. 4, in a conventional IPv6-compliant operating system (OS) the authentication processing section 14 and the IP processing section 13 contained in the kernel each operate individually in accordance with the connection sequence shown in FIG. 2. Accordingly, when the user authentication processing is completed, the authentication processing section 14 terminates its process, and the IP connection processing is initiated by using the reception of the router advertisement message as a trigger.
In this way, the prior art configuration does not have any means for actively requesting the network for an early transmission of the router advertisement message, or if such means is provided, the authentication processing section and the IP processing section are not configured to operate in a cooperative manner; accordingly, if a request packet (router solicitation) is transmitted before completion of the authentication, the packet will be discarded at the access point (AP), leaving no choice but to wait until the router advertisement message is received.
This problem becomes more serious when mobility is added to the IP terminal 10. This is because, as the mobile terminal 10 moves, the access router 31 on the network side frequently changes and, each time this happens, the communication in progress is disconnected and the IP connection processing, including the user authentication processing, is requested once again. In view of this, in the example of FIG. 5, the network configuration based on the Mobile IPv6 is used in the wireless LAN environment, in an attempt to prevent communication disconnections associated with IP address changes.
However, as is apparent from the IP connection sequence of FIG. 6, in the current wireless LAN environment, reconnection processing at IPv6 level, including the user authentication processing, necessarily occurs when the mobile node moves across different access routers. Accordingly, if it takes much time to complete the processing, a similar problem to that in the example of FIG. 1 can occur even when the Mobile IPv6 is employed.
For example, if the processing time becomes too long, the communication with the correspondent node 41′ is disconnected. Further, if a handover occurs while the user is in the process of communication, the application program is temporarily shut off and remains off until the IP communication is resumed; in particular, in the case of a realtime application such as Internet telephone (VoIP) or a video stream, a prolonged non-communication time causes a serious problem.
The above problem becomes more serious when the user authentication processing is performed using encrypted packets as in PEAP-TLS. In this case, as the reception of an authentication packet has to be followed by the process of deciphering the result of the authentication, there has been the problem that high-speed handover becomes difficult because of increased delay in recognizing the successful completion of the authentication.
In the above cases, there is a need to further enhance the speed of the IP connection processing in the wireless LAN environment by reducing the processing burden on an access point (AP) which is accessed by a plurality of users.